Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Kris Janssen 210 posts 569 karma points c-trib
    Jan 30, 2015 @ 11:51
    Kris Janssen
    1

    Potential security issue with "public access" feature

    I am a non-paying user of Umbraco so I do not know how to get specific support but I maintain a conference website for my group based on:

    1. Umbraco version 7.1.6 assembly: 1.0.5350.25714 (upgrading is not an option so close to the conference deadline).
    2. Umbraco Contour version 3.0.21 (might not be relevant)

    I have defined two member groups for my front-end. Most members are "participants", some are "admin" (referees and such).

    There is one critical page where "admins" can see all abstracts submitted and do stuff with them. This page should not be visible to regular "participants"so I did the following:

    1) I have defined "public access" such that only admins can see it. 2) All partial views related to navigation take access settings into account.

    I have tested over and over with dummy accounts that all is as intended.

    However, this morning I was notified by a participant that he/she could actually see the "Admin"-only page, both in the navigation structure as well as the actual page itself.

    At that time, I myself could not reproduce with my dummy front-end account and after a few minutes of Emailing back and forth the person claimed the problem "went away" without me even having logged into the backend to check/change things.

    I recall having the Umbraco "forget" public access settings immediately after setting them, much like there are sometimes caching issues upon updating pages but never spontaneously like this.

    I am actually quite worried by this.

    I could supply URL's and demo accounts to Core team members.

    What could be going on?

    UPDATE 1:

    1. The user has since been able to send a screenshot confirming that indeed she hád access to something she should not.
    2. I do not seem to be the only one experiencing this: http://our.umbraco.org/forum/using/ui-questions/7147-logging-public-access-changes

    UPDATE 2:

    access.config is correct and appears to have been unchanged for ages:

    <access>
      <page id="1183" loginPage="1168" noRightsPage="1168" simple="False">
        <group id="Participants" />
      </page>
      <page id="1192" loginPage="1168" noRightsPage="1168" simple="False">
        <group id="Participants" />
      </page>
      <page id="1249" loginPage="1168" noRightsPage="1168" simple="False">
        <group id="Admins" />
      </page>
    </access>
    
  • Jan Skovgaard 11280 posts 23678 karma points MVP 10x admin c-trib
    Jan 31, 2015 @ 09:55
    Jan Skovgaard
    0

    Hi Kris

    Could you be missing a check for whether the current member has access for a particular node when you're rendering the code? If you're not checking it then everyone who can login will be able to see the same pages.

    /Jan

  • Kris Janssen 210 posts 569 karma points c-trib
    Jan 31, 2015 @ 18:56
    Kris Janssen
    0

    Hi Jan,

    Could you be missing a check for whether the current member has access for a particular node when you're rendering the code?

    I actually check for those things as mentioned in all my sensitive razor scripts:

    Umbraco.MemberHasAccess(page.Id, page.Path)
    

    The problem does not lie there though.

    It has happened repeatedly that the node itself, which should have access restrictions, is visible to everyone even though it should not be. Often this problem will pop up to go away again soon after without intervention of my own. As if Umbraco temporarily "forgets" that a certain page has public access settings for a page.

  • Kris Janssen 210 posts 569 karma points c-trib
    Feb 09, 2015 @ 15:48
    Kris Janssen
    100

    Hello All,

    The issue described above popped up again and this time, I have experienced it first hand:

    1. Some of my nodes have role based protection.
    2. When I occasionally restart my site it will happen that pages under protection become accessible to the general public and when they do, they also show as unprotected in the backend tree view while all the time access.config remains unchanged:

    enter image description here

    1. Restarting the site somehow magically restores the protected status of the page:

    enter image description here

    I can provide a full DB and filesystem backup of this site if need be but I think this is quite serious. I need to be able to trust the page protection status...

    Could somebody look at this?

    Update

    I have created an issue

    Best regards,

    Kris

  • Kris Janssen 210 posts 569 karma points c-trib
    Feb 27, 2017 @ 20:00
    Kris Janssen
    0

    Issue U4-6247 is fixed :)

Please Sign in or register to post replies

Write your reply to:

Draft